Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Trusted Computing wikipedia , lookup
Unix security wikipedia , lookup
Mobile security wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Information privacy law wikipedia , lookup
Data remanence wikipedia , lookup
Cyberattack wikipedia , lookup
Computer security wikipedia , lookup
Mobile device forensics wikipedia , lookup
Bretz 1 Kelsey Bretz Dr. Oblitey COSC 316 18 November 2013 Computer Forensics Host security is the practice of securing different end systems that are attached to a network like laptops, cellular devices, and tablets only to name a few. Sensitive information on hosts or end systems needs to be treated with the appropriate range of caution. Access to that sensitive information needs to be controlled and the use of that information needs to be regulated. The extent of the control and regulations both depend on the importance of the information. Individuals are not going to go to great lengths to protect end systems with information that is already public knowledge; however on the other hand, information that is highly secretive and essential to productivity and functionality will be protected very well. The owner of those assets may sacrifice a great deal in order to keep their intellectual property safe. The job of an administrator is to keep unauthorized users out of their system while ensuring access to the appropriate people. The general idea of this job sounds easy, but implementing it can be very difficult. For example, the same information that needs to be hidden from some people needs to be readily available to others. Since these two demands lie at two different ends of the spectrum, there has to be a happy medium and the system administrators are the ones who decide where the line needs to be drawn. At least one, possibly both of the requirements will ultimately be sacrificed at some level. If the information is completely secure and locked away somewhere, there will be no availability to even authorized users. On the other hand, if there are not constraints or protection on the information what so ever, there will not be any security. The information will be readily available at all times, but using this method will Bretz 2 leave it open and vulnerable. The way to handle this problem is to find a happy medium where security and accessibility are both sacrificed to some degree. The amount of security and availability that are sacrificed depends on the individual’s needs and requirements of a particular system and is usually left to the system administrators to decide. Sacrificing security at any level in the long run leads to vulnerabilities. One way to deal with the vulnerabilities is through computer forensics. Computer forensics is the use of technology and specialized techniques for recovery, authentication and analysis of electronic data. Computer forensics examines saved data, but it also attempts to retrieve information that has been altered or erased. Recovery techniques take advantage of computer devices because today, they are the foundation for recording and communicating. Digital evidence is stored on devices and the information that is collected with the use of computer forensics is commonly used in the pursuit of an attacker or a criminal. There are many different professions involved with computer forensics in today’s society. A few professions include law enforcement, government agencies, military, university programs, private computer forensic organizations, IT and Computer Security professionals. These professions can be very different, but they use the same computer forensic concepts in order to reach different goals. For example, IT and Computer Security professionals’ goal is to protect sensitive information so they need to use computer forensics at a corporate level. On the other hand, law enforcements’ number one goal is to serve and protect society. In order to make society a safer place, they use computer forensics to investigate crimes in order to find criminals and bring them to justice. IT and Computer Security professionals tend to concentrate on slightly different aspects of technology than law enforcement does. IT and Computer Security professionals monitor Bretz 3 network traffic, investigate compromised networks, disloyal employees and insider threats, breach of contracts, malware, spam and email fraud, and finally theft of crucial company information. Law enforcement strictly investigates criminal activity; however some aspects like network traffic and malware are commonly seen in law enforcement investigations too. Computer forensic Bachelor and Master programs at universities are starting to become popular. Community colleges are even working with four year bachelor degree programs to make it very easy for working professionals to obtain a degree. Community college is flexible and affordable. Finally the military uses computer forensics in the field to gain international intelligence. Computer forensics is present in law enforcement at the local, state, and federal levels. Local and state levels typically have smaller units that are uniquely dedicated to computer forensics. There are usually a few detectives in the unit that have special computer forensics training and they are responsible for the computer forensic portion of the cases. Many departments lack the funding needed to properly support a computer forensic unit, but the Regional Computer Forensic Laboratories are an additional option where local, state and federal computer forensic examiners all work together. The laboratories offer their services to law enforcement around the United States so departments that do not have the means of properly processing digital evidence will have access to the proper resources. All Regional Computer Forensic Laboratories are run by the F.B.I. and all local, state, and federal examiners that work there are trained by the F.B.I. Furthermore, the F.B.I. and other federal level government agencies have additional examiners in their field offices around the world. Homeland Security offices, the National Security Agency, and the Federal Bureau of Investigation continue to have a growing need for examiners due to technologies exponential trend. Bretz 4 Top rated software that computer forensic examiners use are ArcSight Logger, NetWitness Investigator, Quest ChangeAuditor, Lantern, Cellebrite, Physical Analyzer, Access Data’s Forensic Toolkit (FTK), and EnCase. ArcSight Logger automates analysis, alerts, reports, and intelligence of logs and events. This software is normally used by IT Security personnel. NetWitness Investigator is also used by IT Security professionals but law enforcement and other public and private firms are starting to use it to analyze network traffic too. Again, Quest ChangeAuditor is primarily an IT Security professional software that creates reports and analyzes network traffic. This program translates raw data into user friendly data very well. Lantern is a very good program that analyzes Apple products. A Cellebrite machine collects data from mobile devices and a program like Physical Analyzer is used to analyze it. Access Data’s Forensic Toolkit and EnCase are widely used in law enforcement because the results are accepted in court. Both have a user friendly interface. FTK is database driven so an examiner will not lose work if the computer crashes. EnCase has different versions of software like EnCase Cyber Security, EnCase Portable for field analysis and EnCase Forensic, to name a few. EnCase Forensic offers data acquisition, analysis and reporting. One of the most powerful features of EnCase Forensic is EnScript, the scripting facility. This allows the examiner to create a script for anything he or she intends to do. EnScript even allows the examiner to open and close files outside of the program. Changing the original data is one of the only things EnScript does not allow. EnCase is a very powerful software that can retrieve, analyze and examine deleted data, file slack, and unallocated space. Each file is stored in a specified length of data called clusters and when the actual file size is smaller than the cluster, the left over is called file slack. This is important because file slack can potentially contain data that was randomly dumped from the Bretz 5 computer’s memory. The file slack can help the examiner find network logon names, passwords and other sensitive information associated with computer usage. Larger drives can even hold word processing documents and emails. Furthermore, when a file is deleted, the actual data is not deleted, only the pointers to the data in the File Allocation Table or the Master File Table are deleted. At this point the position of the pointers is set to “available” and the pointers to the data that was supposedly “deleted” are gone. This type of data is now referred to as unallocated space. The unallocated space and the file slack is of high interest to the computer forensic examiners because many times a suspect will try to delete the incriminating evidence without realizing the data is not actually deleted unless the data has been overwritten with new data. Programs like EnCase are very good at recovering the data that has been deleted and finding other sensitive information that is stored on a computer just through regular computer usage, but when examiners are conducting their investigation, it is extremely important that the original evidence is not tainted. This means nothing is changed, not even time and date stamps which can occur when a file is simply opened. In order to ensure metadata and all other evidence on the suspected device is not changed, there are several steps that need to be taken. Two of the most important techniques are taking advantage of a write block and creating an image or a copy of the original data. The function of the write block does exactly what the name implies, stops all data from being written on the drive and ensures the data will not change. The write block is a key tool for an examiner because it means investigations can be conducted without having to be extremely cautious about each step. Likewise, imaging is another key computer forensic tool that safeguards the original evidence. Once an image of the data is made, the original data does not have to even be touched; the examinations can be done on the copy. Bretz 6 This precaution is essential because it always leaves the original copy of digital evidence untainted. Many times multiple images are made for extra precaution. After ensuring that evidence will not be tainted, it is essential that the examination is done on an exact image of the original data. The copy and the original must be the same or the completed analysis will be void. EnCase verifies the duplicate image mirrors the original data by hash and redundancy check values. Like an IP address is a unique identifier, hash and redundancy check values are essentially a finger print of the evidence made up of a long string of numbers and letters. In order to calculate the hash, an MD5 hash algorithm is used and written into the evidence file. It then becomes a permanent part of the case documentation which proves the data was not altered since the time of acquisition. Many times an investigator knows what type of evidence he or she needs to find for a conviction and EnCase offers the Search tools to meet these needs. There are two ways to perform a search in EnCase, a Raw Search and an Indexed Search. A Raw Search searches the entire drive for the examiner’s choice of specific key words. An Indexed Search requires the drive to be indexed before the search is conducted. Indexing can take some time, depending how big the dive is, but after the indexing is completed the searches are instantaneous. After finding critical evidence, it is important that an examiner is able to save or bookmark that evidence so it can easily be found again. EnCase provides seven ways to bookmark evidence, Raw Text Bookmarks Data Structure Bookmarks, Notable File Bookmarks, Multiple Notable File Bookmarks, Note Bookmarks, Table Bookmarks, and Transcript Bookmarks. Ultimately, all the bookmarks, notes, and everything else found through EnCase are automatically documented in a report through the EnCase report generator. The reports can be exported for written proof when it comes to the final portion of a computer forensic Bretz 7 investigation; for law enforcement for instance, the final part of an investigation is presenting the evidence in court. Overall, computer forensics is the collection, preservation, analysis and presentation of computer related evidence. A computer forensic examiner is trained to use technology to extract digital evidence from a media device in order to prove a certain incident took place. Today’s computer forensic software and tools overcome difficult problems that would otherwise taint digital evidence forcing it to be thrown out. In the practice of computer forensics, it is highly recommended that an examiner uses the most up to date tools and software so processes and procedures comply with all legal specifications. Whether it is law enforcement or security professionals, computer forensic techniques are used when responding to an incident, either corporately or criminally. Bretz 8 Works Cited "Best Computer Forensics Tool." SC Magazine. N.p., 15 Feb. 2011. Web. 11 May 2013. "Center for Computer Forensics | Computer Forensics Company." Center for Computer Forensics | Computer Forensics Company. Center For Computer Forensics, n.d. Web. 11 May 2013. Ciampa, Mark, Ph.D. Security Guide to Network Security Fundamentals. Ed. Dave Garza. 4th ed. N.p.: Course Technology Ptr, 2012. 510-15. Print. Doherty, Sean. "Product Review: Encase Forensic 7." Law Technology News. Law Technology News, 29 Jan. 2013. Web. 11 May 2013. "Law Enforcement & Computer Forensics." Law Enforcement & Computer Forensics. Westwood College, n.d. Web. 11 May 2013. "Leading EDiscovery, Forensic, and Cybersecurity Solutions - EnCase." Leading EDiscovery, Forensic, and Cybersecurity Solutions - EnCase. N.p., n.d. Web. 11 May 2013. Stambaugh,, Hollis, David Beaupre, and David J. Icove, Dr. "State and Local Law Enforcement Need to Combat Electronic Crime." National Institute of Justice. US Department of Justice, Aug. 2000. Web. 10 May 2013. Vacca, John R. Securimetric. 2nd ed. Boston, Massachusetts: Charles River Media, 2005. Print. "What Is Network Security?" Cisco. Cisco, n.d. Web. 10 May 2013.